Recursor
Monthly
DNS response manipulation in PowerDNS Recursor 5.4.x allows network-positioned attackers to inject false DNS records through insufficient validation of answers received from authoritative servers, resulting in low-integrity violations in name resolution for downstream clients. The 5.4.x branch received hardening patches per PowerDNS advisory 2026-08 to close this validation gap. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.
ZONEMD validation bypass in PowerDNS Recursor allows a cryptographically invalid DNS zone to be accepted as legitimate when ZoneToCache is configured with ZONEMD validation enabled. This undermines the integrity guarantee that ZONEMD is designed to provide - an attacker capable of serving a crafted zone to the resolver (e.g., via a rogue authoritative source or network interception) can cause the recursor to cache and serve tampered DNS data. No public exploit code has been identified and exploitation is not confirmed in CISA KEV; real-world risk is constrained by the non-default configuration prerequisite.
PowerDNS Recursor crashes when processing a malformed SOA record within a catalog zone, resulting in a denial of service for all DNS resolution handled by the affected instance. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network-reachable unauthenticated exploitation, but high attack complexity reflects the non-default catalog zone configuration required. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
PowerDNS Recursor crashes when a malicious authoritative DNS server serves a crafted zone via the ZoneToCache function, exploiting insufficient input validation to cause a denial of service. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms this is a remotely triggerable availability-only impact, though high attack complexity reflects the prerequisite of controlling or compromising an authoritative name server in the resolution path. No public exploit code has been identified at time of analysis, and no KEV listing exists, but the impact on DNS infrastructure availability makes this a meaningful operational risk for affected deployments.
Improper packet cache handling in PowerDNS Recursor causes ECS zero-scoped DNS answers to be stored in the cache when they should be discarded or handled as global entries, creating an information disclosure pathway. All Recursor versions (cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*) are affected, but only deployments with EDNS Client Subnet (ECS) explicitly enabled are exposed. The CVSS score of 5.3 with a network vector and no required privileges reflects that any DNS client can trigger the improper caching behavior, though real-world impact is bounded by the non-default ECS configuration requirement. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.
Crafted zones can lead to increased incoming network traffic. [CVSS 5.3 MEDIUM]
DNS recursive resolver denial-of-service via crafted zones and CNAME chain manipulation allows unauthenticated attackers to exhaust server resources and potentially poison the resolver's cache. The vulnerability affects Recursor instances exposed to untrusted DNS queries, enabling attackers to degrade performance or compromise DNS resolution integrity. No patch is currently available.
Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 6.5 MEDIUM]
Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]
Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.6.5, through 4.7.4 , through 4.8.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excluding 4.1.5 and 4.0.9, are vulnerable to a memory leak while parsing malformed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
DNS response manipulation in PowerDNS Recursor 5.4.x allows network-positioned attackers to inject false DNS records through insufficient validation of answers received from authoritative servers, resulting in low-integrity violations in name resolution for downstream clients. The 5.4.x branch received hardening patches per PowerDNS advisory 2026-08 to close this validation gap. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.
DNSSEC validation in PowerDNS Recursor can be silently undermined by network-positioned attackers who spoof DNS replies to trick the Recursor into permanently marking a legitimate authoritative server's IP as EDNS-incapable. Once that state is poisoned, the Recursor is unable to perform proper DNSSEC validation for any zones served by that authoritative server, effectively disabling a critical security layer for downstream clients. No active exploitation has been confirmed by CISA KEV, and no public proof-of-concept has been identified at time of analysis; however, the attack complexity is rated High due to the spoofing prerequisite.
ZONEMD validation bypass in PowerDNS Recursor allows a cryptographically invalid DNS zone to be accepted as legitimate when ZoneToCache is configured with ZONEMD validation enabled. This undermines the integrity guarantee that ZONEMD is designed to provide - an attacker capable of serving a crafted zone to the resolver (e.g., via a rogue authoritative source or network interception) can cause the recursor to cache and serve tampered DNS data. No public exploit code has been identified and exploitation is not confirmed in CISA KEV; real-world risk is constrained by the non-default configuration prerequisite.
PowerDNS Recursor crashes when processing a malformed SOA record within a catalog zone, resulting in a denial of service for all DNS resolution handled by the affected instance. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network-reachable unauthenticated exploitation, but high attack complexity reflects the non-default catalog zone configuration required. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
PowerDNS Recursor crashes when a malicious authoritative DNS server serves a crafted zone via the ZoneToCache function, exploiting insufficient input validation to cause a denial of service. The CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms this is a remotely triggerable availability-only impact, though high attack complexity reflects the prerequisite of controlling or compromising an authoritative name server in the resolution path. No public exploit code has been identified at time of analysis, and no KEV listing exists, but the impact on DNS infrastructure availability makes this a meaningful operational risk for affected deployments.
Improper packet cache handling in PowerDNS Recursor causes ECS zero-scoped DNS answers to be stored in the cache when they should be discarded or handled as global entries, creating an information disclosure pathway. All Recursor versions (cpe:2.3:a:powerdns:recursor:*:*:*:*:*:*:*:*) are affected, but only deployments with EDNS Client Subnet (ECS) explicitly enabled are exposed. The CVSS score of 5.3 with a network vector and no required privileges reflects that any DNS client can trigger the improper caching behavior, though real-world impact is bounded by the non-default ECS configuration requirement. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog.
Crafted zones can lead to increased incoming network traffic. [CVSS 5.3 MEDIUM]
DNS recursive resolver denial-of-service via crafted zones and CNAME chain manipulation allows unauthenticated attackers to exhaust server resources and potentially poison the resolver's cache. The vulnerability affects Recursor instances exposed to untrusted DNS queries, enabling attackers to degrade performance or compromise DNS resolution integrity. No patch is currently available.
Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 6.5 MEDIUM]
Crafted delegations or IP fragments can poison cached delegations in Recursor. [CVSS 8.2 HIGH]
Denial of service vulnerability in PowerDNS Recursor allows authoritative servers to be marked unavailable.6.5, through 4.7.4 , through 4.8.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Recursor up to and including 4.5.9, 4.6.2 and 4.7.1, when protobuf logging is enabled, has Improper Cleanup upon a Thrown Exception, leading to a denial of service (daemon crash) via a DNS. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In PowerDNS Authoritative Server before 4.4.3, 4.5.x before 4.5.4, and 4.6.x before 4.6.1 and PowerDNS Recursor before 4.4.8, 4.5.x before 4.5.8, and 4.6.x before 4.6.1, insufficient validation of an. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue has been found in PowerDNS Recursor before 4.1.18, 4.2.x before 4.2.5, and 4.3.x before 4.3.5. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 and 4.1.16, the ACL restricting access to the internal web server is not properly enforced. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Recursor from 4.1.0 up to and including 4.3.0 does not sufficiently defend against amplification attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor 4.1.0 up to and including 4.3.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor 4.1.0 through 4.3.0 where records in the answer section of a NXDOMAIN response lacking an SOA were not properly validated in SyncRes::processAnswer,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor versions 4.1.x before 4.1.9 where records in the answer section of responses received from authoritative servers with the AA flag not set were not. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor versions after 4.1.3 before 4.1.9 where Lua hooks are not properly applied to queries received over TCP in some specific combination of settings, possibly. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue has been found in PowerDNS Recursor before version 4.1.8 where a remote attacker sending a DNS query can trigger an out-of-bounds memory read while computing the hash of the query for a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Authoritative Server 4.1.0 up to 4.1.4 inclusive and PowerDNS Recursor 4.0.0 up to 4.1.4 inclusive are vulnerable to a packet cache pollution via crafted query that can lead to denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PowerDNS Authoritative Server 3.3.0 up to 4.1.4 excluding 4.1.5 and 4.0.6, and PowerDNS Recursor 3.2 up to 4.1.4 excluding 4.1.5 and 4.0.9, are vulnerable to a memory leak while parsing malformed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue has been found in PowerDNS Recursor from 4.0.0 up to and including 4.1.4. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper input validation bugs in DNSSEC validators components in PowerDNS version 4.1.0 allow attacker in man-in-the-middle position to deny existence of some data in DNS via packet replay. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The label decompression functionality in PowerDNS Recursor before 3.6.4 and 3.7.x before 3.7.3 and Authoritative (Auth) Server before 3.3.3 and 3.4.x before 3.4.5 allows remote attackers to cause a. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity.
The label decompression functionality in PowerDNS Recursor 3.5.x, 3.6.x before 3.6.3, and 3.7.x before 3.7.2 and Authoritative (Auth) Server 3.2.x, 3.3.x before 3.3.2, and 3.4.x before 3.4.4 allows. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PowerDNS Recursor before 3.6.2 does not limit delegation chaining, which allows remote attackers to cause a denial of service ("performance degradations") via a large or infinite number of referrals,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.